We put together practical guidance on the company and product issues teams need to consider about the Russian invasion of Ukraine. Here are five key questions operators should address.
Last updated 03/15/2022
Technology companies must consider immediately suspending service to individuals and businesses in Russia. Every company should ask themselves today:
Sanctions now being implemented by the US, EU, and other partners are designed to create society-wide pressure on the Russian leadership. They can only be effective if there is strong participation by industry. Technology companies have the opportunity to either support the aims of the sanctions–and help hasten the end of the conflict for the benefit of both Russian and Ukrainian people–or to stand idle and risk providing tools that undermine sanctions and prolong the conflict.
As sanctions take effect, Russian users will likely move payments, communications, and other services to firms that are less tightly controlled or fall outside of the direct application of sanctions. This is especially true of cryptocurrencies and other new payment mechanisms with weak traceability (e.g., Monero) and little to no regulatory oversight. A flight of money to these services risks weakening the impact of the sanctions regime and prolonging the suffering of those affected by Russia’s invasion.
We recognize that the vast majority of people–both Russian and Ukrainian–don’t want war and that depriving them of key services can inflict real hardship. Our guidance is premised on the view that the quickest way to restore peace and order, and avoid continuing escalation, is to support the global sanctions regime, and that this support is consistent with the intent of the law.
Companies across all industry sectors have started to take voluntary action to suspend services or business operations in Russia or extend additional support to Ukraine. Some examples include:
These actions, some at significant and irreversible cost to companies, will help ensure the effectiveness of sanctions regimes. They demonstrate an admirable willingness to put people and global peace above corporate profit, and decisive industry leadership.
Other actions have involved direct support for Ukrainians, like SpaceX rushing satellite internet terminals to the country in response to a request from Ukrainian officials, T-Mobile making long-distance calls between Ukrainians free, and Airbnb offering free housing for Ukrainian refugees. Nonprofits on the ground can be found here and here.
As these actions make clear, neutrality in the face of this kind of aggressive state action is untenable. At the very least, companies must be carefully examining their options and the impact of their ongoing operations.
You should pay particular attention to the privacy and security of your users’ information at a time when the consequences of disclosure can be very high. Military and state security forces may attempt to use information collected by or transiting through technology services to locate individuals or exact reprisals. If you continue to operate your service in these countries, you should ensure that personally identifiable information, including location, is securely encrypted in storage and transmission (ex. Cloudflare removing customers’ cryptographic material from Ukrainian servers).
You should be aware of legislation that recently passed the Russian state Duma. It would allow for the nationalization of property from firms that suspend operation in Russia, in response to the invasion. While this won't impact firms that are providing service on a cross-border basis, if you have physical assets or staff in Russia you will need to think through the impact. In particular, if you have user data, intellectual property or other materials in Russia you will need to ensure they are permanently deleted or secured.
If you have employees, contractors or other personnel in Russia or Ukraine this must be your top concern and you should do your best to help them during this difficult time. In particular, note that the Russian government has signaled a willingness to jail or otherwise punish local managers of firms that engage in activity considered unfriendly to the Putin regime. You should ensure that any decision to leave the market takes account of that risk and that you have planned for the safety of your local employees.
If possible, move work responsibilities to colleagues outside of the country to allow workers space to deal with the crisis. Also, consider covering relocation and other extra costs they are incurring as a result of the war, or assist them in finding places of refuge outside of the country. Much of Ukraine is an active war zone and communications and information flow can be limited. To the extent possible, provide frequent and proactive communication and have backup communication plans. Recognize that employees will be occupied with essential personal, family safety, and other matters. This includes employees working abroad with family members in the region. Make sure you communicate your support for prioritizing those things. If your personnel have not yet been directly impacted, you should make a plan to help ensure that necessary communication continues to flow and that you provide them as much support and assistance as possible. They will long remember what you do in these difficult times. Examples of companies taking action include: Lyft, Revolut, Wix.
In our view the default answer to this question for most companies should be no, unless there are compelling reasons to continue providing services that are consistent with the protection of human rights.
Examples of compelling reasons might include the following:
Of course this isn’t an exhaustive list and you will have to evaluate your decision based on modeling the impact of continuing to offer your products and services to Russian users and how innocent individuals may be impacted by your suspension or withdrawal from the market.
But in any case, companies need to immediately cease providing any technology that can be used against the Ukrainian people or to support Russian combat operations. Examples would include any tools that could be used to identify the location of individuals, current or anticipated positions of Ukrainian forces, or those with messaging services vulnerable to interception.
In our view it is also particularly important that cryptocurrency exchanges, custodial wallets, NFT marketplaces and other digital payments and asset providers suspend provision of services to users they believe to be in Russia. Failing to stop providing these services directly undermines the sanctions regime. Examples of companies taking action include: Outreach, DMarket, RBC Signals.
If you believe your service should remain in the country, ask what changes you should make to ensure that the service is not used for purposes unrelated to essential functionality, or to facilitate the war. Convene an internal working group on the Russia/Ukraine crisis to model and forecast ways your products could be used for organized campaigns that undermine societal goods. Establish listening mechanisms for customers, partners and employees to capture feedback and insights about the use of your products in the region. Create a governance structure to review organized efforts by various parties, including state actors, organized groups, and bad actors, to use your products and services for harm at scale. It is particularly important that as a CEO or founder you are not making these decisions alone. Decide now who else should be part of your decision-making process (board members, senior members of your team, outside advisors), and make sure you are in regular communication. Seek out advice from industry associations, analysts and partners to learn about how others in your industry are organizing and responding. Do not wait for customers, watchdogs or regulators to sanction you or direct you to act on issues associated with your products and services.
You should take special care to ensure that transactions outside of Russia that are associated with Russian businesses or individuals are not used for the evasion of sanctions. Where, for example, transactions of unusual size or volume are occurring, or accounts are held by entities with limited information about beneficial owners, you should investigate to ensure that your company is not facilitating sanction circumvention. This diligence is especially important for cryptocurrencies which have low traceability and may well go beyond what is traditionally done to comply with money laundering and sanctions regulations. In light of the volumes of money impacted by sanctions, there will be powerful incentives to try elaborate attempts to avoid them. You must take these efforts seriously, devote appropriate resources and, where possible, collaborate with industry peers to share information. The most aggressive circumvention schemes will impact multiple companies and technologies and collaboration will be essential for effective control.
Identifying user location can, of course, be challenging. At a minimum, you should consider IP address geolocation and any other data your company collects. For certain kinds of services, physical location can be easily masked or falsified.
If you need help working through your response, please reach out to us. This is a developing situation and we will update this newsletter if we learn more information that may be helpful.